You miss the fact that there is no requirement to keep the actual data. You need to keep traffic logs. That is not the 300GB/year that you download, but the list of files that you download. Assuming that the average file is larger than its name, this is substantially less data.
SuSE Linux has both these features. Parallel startup is nice until you want to debug something and turn it off. Graphic progress bar display instead of boring scrolling text is good for desktop use, but is also something I usually disable and never re-enable later.
SuSE has had this parallel startup for some time, using the listed dependencies. It is usually the first thing I turn off after an install, but someone caring about startup time will love it.
There are more problems... Another bad thing is that it still talks SMTP instead of ESMTP so at the beginning of a mail transaction there is no information about message size. When you set a maximum message size, say 15MB, you cannot refuse the message at the "MAIL FROM" but yo u send a 554 reply at the end of the DATA phase. But because this program won't take NO (a 5xx reply) for an answer, it will again go along all the MXes and probably put this (large) message on the retry queue and send it several times:-(
There is also such a proxy, but I have not yet found which one it is, that does not handle a dot at the beginning of a line. SMTP servers are supposed to add an extra dot. Because this one doesn't, one dot is eaten on each such line, and when the user types a line with a single dot the receiver SMTP will end the message there, send the 250 OK reply and deliver it, but the sender SMTP continues sending message data. It does not understand the partial message is accepted, and keeps trying (delivering multiple copies) until its retry time elapses. Combined with the fact that some user agents wrap long lines in an unintelligent way, you are sure to hit this sometime when two users keep replying to eachothers mail quoting the entire previous conversation each time.
This is analogous to the idea that mail should remain on the sender's mailserver until the receiver has indicated it wants to receive it.
Now, the sender sends to the receiver's server and loses control and responsibility of the message as soon as it is accepted. What should be done instead is only send some very small indication to the receiver that a message is ready to be picked up at their sending server. The spammer will be left with all messages until the receivers pick them up.
In normal mail traffic, this system has the advantage that it is easier to oversee that the message gets to the intended destination (and not dropped without notice somewhere halfway), and that you can cancel the message until the moment it is actually read.
This trick does help a little bit, but it also causes a problem. There is extremely buggy mail software around. Especially the "mail proxy" stuff that you place between an Exchange server and the outside world, that acts as a virus scanner or spamfilter.
Example: McAfee/NAI Webshield. This server will send mail to your domain to the lowest MX, and when it is refused with a 550 (user not existing) it will just go on to the next higher MX to try it there! When the highest MX happens to be unreachable, it will put the message on the retry-queue (because it only remembers the latest status, which was a nonreachable server). So, it will re-try sending the message until the maximum time on queue has elapsed, usually 2 days or so. Anyone sending a message to some_nonexisting_user@your_domain.com will be delivering that message every 15 minutes or so, for two days.
Of course this is a bug in that specific program, but it can be quite irritating when people who often mis-spell mailaddresses live at a domain using that software.
But virtually all spam email is sent via compromised Windows boxes by special spam sending software, which can see and log the delivery failure without a "your email bounced" message!
However, I have not see the described effect even after many "bounces" by a filtering mail server that sends back error messages immediately on the SMTP connection when the mail is not accepted. It probably depends on whose list(s) you are on.
Sometimes the PowerEdge SC420 is cheaper than the equivelent desktop from Dell, sans OS.
But be careful, the SCSI version won't run a standard Linux version, it needs a binary-only driver for the bastardized Adaptec controller, which is only available for a few selected (and aged) distributions.
Everytime you order a new Dell system it will be a question if it will run Linux. Dell supports Red Hat Linux. That will work. But we use SuSE, and nasty things happen.
For example, we have ordered a number of SC400 servers and were very happy. Then, it was replaced by the SC420. So we ordered one of these, without OS. Red Hat is supported on it.
But SuSE 9.2 does not recognize the SCSI controller. Why? because Dell got a modified 39320 SCSI controller from Adaptec that can only work in the "HOSTRAID" mode (Adaptecs swindle to make you think you buy a RAID controller while it actually is just a SCSI controller with a driver). The problem is that Linux does not support the HOSTRAID mode, and Adaptec only provides a (binary) driver for the OS versions it likes. SuSE 9.2 is not amongst these.
So the machine is sitting at the YaST installation screen, waiting for a solution. I know I can solve it but it takes hours of extra time for what should have been a smooth install.
This is not the first time this has happened to us. Dell just buys what is cheapest for them at that moment (the SC400 had a MPT SCSI controller), and lets the customer sort out the problems.
Microsoft provides DNS and mail service hosting to the large scale lottery scam. Next time you receive one of these ("you have won a big price in the lottery") check the domain name you are supposed to send mail to. Usually some variation on "cashchangeukltd.com". Do a whois on it. In 99% of cases, it has been registered by Microsoft! The "technical contact" is an address that only sends an auto-reply tellig you another address (pdbeta@microsoft.com). That one is linked to/dev/null.
When you send a mail to the mentioned cashchange address, it usually returns after a few days with some "mailbox overflow" or "could not contact mailserver" reply *FROM HOTMAIL*.
So, Microsoft are fully in the position to do something with this. Yet, they ignore all abuse mail about this topic.
In my country, a supplier has the obligation to support the product to the point where it can be considered to be fit for the purpose it was sold for. Extra agreements are only for extra service like help with configuration, but fixing critical defects should be done for anyone even without such agreements.
Between the $80 NAT boxes and the high-end, there still are the $1000-$3000 small business boxes. (1xxx, 2xxx and 3xxx series)
These typically have one or two fast interfaces and a couple of "slow" (below 10 Mbit) interfaces, and todays PCs can do that in software.
Many of the cisco boxes in the abovementioned range have quite limited "expansion slot" capacity when compared to a PC, so especially for applications with more than two or three ports a PC may be at an advantage. (for example, in a small business where you want to connect a LAN, a DMZ, two DSLs and a couple of ISDNs for backup, you need a 3000 series box. but in terms of performance, the DSLs are the limiting factor and a PC would be adequate)
Cisco has more than the 6500. Cisco also has the 800, 1700, 1800, 2600, 2800, 3700, 3800 series. Those have a slow CPU that you really have to avoid overloading. It has to be assisted by "coprocessors" for mundane tasks like encryption and compression, that a P4 could do at ease.
I'm actually quite disappointed with Cisco support. They will help you when you are a large customer, but as a small business they completely ignore you.
I can understand that they can't make money from a small customer, but I think they should give support to everyone that bought their products.
You are describing the situation for a high-end box. Now look at a 17xx, 37xx etc, and the typical environments they are found in. In pure CPU power a PC is 25 times faster than those, and the bus is fast enough to accomodate the same types of interfaces these routers support.
When I made some quick calculations 2 years ago, a PC solution for a 3-office network with cisco 3725 at head office and 1721s at branches (for connecting LANs using IPsec over DSL) was 2-3 times more expensive than the equivalent solution using PCs and Linux. A modest PC, at that time a 2 GHz P4, can of course completely saturate the DSL. In fact, the 1721s are underpowered for this purpose as they cannot have both encryption and compression co-processors.
At that time, Cisco was chosen because it was the "professional solution".
We still regret the decision. Seldomly a single piece of equipment has caused more problems. There are bugs that have plagued us since the beginning, and as such a small customer we are completely ignored by Cisco. And then I am not even touching the limitations in flexibility...
Actually it is called "jvmsetup", but you probably found that. "setjava" was the name of the wrapper script I used to automatically set another java version on our remotely administered workstations...
There is one South-African channel available on satellite here in europe but it is NSAT. It seems to be focused on giving information about SA to viewers abroad. Many countries have such a channel.
Begin with configuring your proxy/firewall so that exe files cannot be downloaded. Then setup your workstations so that the user behind the keyboard has no permission to install software.
While there are still some badly developed programs around in Windows, the above is largely historic.
All software that refuses to run as a user, and did not get updated by now, deserves to die. Developers have had at least 5 years to change their attitude.
Anything under %windows% should be read-only to the user.
Setup an administrative and a user account, lock-down Windows (tools for that are included on the resource kit cd) and a script running for the user will not be able to clobber hosts files, install spyware, infect the system with viruses, etc.
Slashdot Mirror
You miss the fact that there is no requirement to keep the actual data.
You need to keep traffic logs. That is not the 300GB/year that you download, but the list of files that you download. Assuming that the average file is larger than its name, this is substantially less data.
SuSE Linux has both these features.
Parallel startup is nice until you want to debug something and turn it off.
Graphic progress bar display instead of boring scrolling text is good for desktop use, but is also something I usually disable and never re-enable later.
SuSE has had this parallel startup for some time, using the listed dependencies.
It is usually the first thing I turn off after an install, but someone caring about startup time will love it.
There are more problems... :-(
Another bad thing is that it still talks SMTP instead of ESMTP so at the beginning of a mail transaction there is no information about message size.
When you set a maximum message size, say 15MB, you cannot refuse the message at the "MAIL FROM" but yo u send a 554 reply at the end of the DATA phase. But because this program won't take NO (a 5xx reply) for an answer, it will again go along all the MXes and probably put this (large) message on the retry queue and send it several times
There is also such a proxy, but I have not yet found which one it is, that does not handle a dot at the beginning of a line. SMTP servers are supposed to add an extra dot. Because this one doesn't, one dot is eaten on each such line, and when the user types a line with a single dot the receiver SMTP will end the message there, send the 250 OK reply and deliver it, but the sender SMTP continues sending message data. It does not understand the partial message is accepted, and keeps trying (delivering multiple copies) until its retry time elapses.
Combined with the fact that some user agents wrap long lines in an unintelligent way, you are sure to hit this sometime when two users keep replying to eachothers mail quoting the entire previous conversation each time.
This is analogous to the idea that mail should remain on the sender's mailserver until the receiver has indicated it wants to receive it.
Now, the sender sends to the receiver's server and loses control and responsibility of the message as soon as it is accepted.
What should be done instead is only send some very small indication to the receiver that a message is ready to be picked up at their sending server. The spammer will be left with all messages until the receivers pick them up.
In normal mail traffic, this system has the advantage that it is easier to oversee that the message gets to the intended destination (and not dropped without notice somewhere halfway), and that you can cancel the message until the moment it is actually read.
This trick does help a little bit, but it also causes a problem.
There is extremely buggy mail software around. Especially the "mail proxy" stuff that you place between an Exchange server and the outside world, that acts as a virus scanner or spamfilter.
Example: McAfee/NAI Webshield.
This server will send mail to your domain to the lowest MX, and when it is refused with a 550 (user not existing) it will just go on to the next higher MX to try it there!
When the highest MX happens to be unreachable, it will put the message on the retry-queue (because it only remembers the latest status, which was a nonreachable server).
So, it will re-try sending the message until the maximum time on queue has elapsed, usually 2 days or so.
Anyone sending a message to some_nonexisting_user@your_domain.com will be delivering that message every 15 minutes or so, for two days.
Of course this is a bug in that specific program, but it can be quite irritating when people who often mis-spell mailaddresses live at a domain using that software.
But virtually all spam email is sent via compromised Windows boxes by special spam sending software, which can see and log the delivery failure without a "your email bounced" message!
However, I have not see the described effect even after many "bounces" by a filtering mail server that sends back error messages immediately on the SMTP connection when the mail is not accepted.
It probably depends on whose list(s) you are on.
Sometimes the PowerEdge SC420 is cheaper than the equivelent desktop from Dell, sans OS.
But be careful, the SCSI version won't run a standard Linux version, it needs a binary-only driver for the bastardized Adaptec controller, which is only available for a few selected (and aged) distributions.
With Linux, you have a choice
With Linux, yes. But with Dell, not necessarily.
Everytime you order a new Dell system it will be a question if it will run Linux.
Dell supports Red Hat Linux. That will work.
But we use SuSE, and nasty things happen.
For example, we have ordered a number of SC400 servers and were very happy. Then, it was replaced by the SC420. So we ordered one of these, without OS. Red Hat is supported on it.
But SuSE 9.2 does not recognize the SCSI controller. Why? because Dell got a modified 39320 SCSI controller from Adaptec that can only work in the "HOSTRAID" mode (Adaptecs swindle to make you think you buy a RAID controller while it actually is just a SCSI controller with a driver).
The problem is that Linux does not support the HOSTRAID mode, and Adaptec only provides a (binary) driver for the OS versions it likes. SuSE 9.2 is not amongst these.
So the machine is sitting at the YaST installation screen, waiting for a solution. I know I can solve it but it takes hours of extra time for what should have been a smooth install.
This is not the first time this has happened to us. Dell just buys what is cheapest for them at that moment (the SC400 had a MPT SCSI controller), and lets the customer sort out the problems.
Here in the Netherlands the government wants providers to keep a log of all mail (http, ftp, whatever) traffic that goes over their lines.
No. Not a log of all mail, but a log from the mailserver, with sender and recepient addresses.
Microsoft provides DNS and mail service hosting to the large scale lottery scam. /dev/null.
Next time you receive one of these ("you have won a big price in the lottery") check the domain name you are supposed to send mail to. Usually some variation on "cashchangeukltd.com".
Do a whois on it. In 99% of cases, it has been registered by Microsoft!
The "technical contact" is an address that only sends an auto-reply tellig you another address (pdbeta@microsoft.com). That one is linked to
When you send a mail to the mentioned cashchange address, it usually returns after a few days with some "mailbox overflow" or "could not contact mailserver" reply *FROM HOTMAIL*.
So, Microsoft are fully in the position to do something with this. Yet, they ignore all abuse mail about this topic.
In my country, a supplier has the obligation to support the product to the point where it can be considered to be fit for the purpose it was sold for.
Extra agreements are only for extra service like help with configuration, but fixing critical defects should be done for anyone even without such agreements.
Between the $80 NAT boxes and the high-end, there still are the $1000-$3000 small business boxes.
(1xxx, 2xxx and 3xxx series)
These typically have one or two fast interfaces and a couple of "slow" (below 10 Mbit) interfaces, and todays PCs can do that in software.
Many of the cisco boxes in the abovementioned range have quite limited "expansion slot" capacity when compared to a PC, so especially for applications with more than two or three ports a PC may be at an advantage.
(for example, in a small business where you want to connect a LAN, a DMZ, two DSLs and a couple of ISDNs for backup, you need a 3000 series box. but in terms of performance, the DSLs are the limiting factor and a PC would be adequate)
Cisco has more than the 6500.
Cisco also has the 800, 1700, 1800, 2600, 2800, 3700, 3800 series.
Those have a slow CPU that you really have to avoid overloading. It has to be assisted by "coprocessors" for mundane tasks like encryption and compression, that a P4 could do at ease.
I'm actually quite disappointed with Cisco support.
They will help you when you are a large customer, but as a small business they completely ignore you.
I can understand that they can't make money from a small customer, but I think they should give support to everyone that bought their products.
You are describing the situation for a high-end box.
Now look at a 17xx, 37xx etc, and the typical environments they are found in.
In pure CPU power a PC is 25 times faster than those, and the bus is fast enough to accomodate the same types of interfaces these routers support.
When I made some quick calculations 2 years ago, a PC solution for a 3-office network with cisco 3725 at head office and 1721s at branches (for connecting LANs using IPsec over DSL) was 2-3 times more expensive than the equivalent solution using PCs and Linux.
A modest PC, at that time a 2 GHz P4, can of course completely saturate the DSL. In fact, the 1721s are underpowered for this purpose as they cannot have both encryption and compression co-processors.
At that time, Cisco was chosen because it was the "professional solution".
We still regret the decision. Seldomly a single piece of equipment has caused more problems. There are bugs that have plagued us since the beginning, and as such a small customer we are completely ignored by Cisco.
And then I am not even touching the limitations in flexibility...
You have switches with DSL interfaces, with modem interfaces, with IPsec built in?
What make are they?
Actually it is called "jvmsetup", but you probably found that. "setjava" was the name of the wrapper script I used to automatically set another java version on our remotely administered workstations...
There is one South-African channel available on satellite here in europe but it is NSAT.
It seems to be focused on giving information about SA to viewers abroad. Many countries have such a channel.
That should not be difficult when the situation really is like the poster describes.
We have operated the network like this for several years at work, and we don't have a virus/trojan/spyware problem.
Begin with configuring your proxy/firewall so that exe files cannot be downloaded.
Then setup your workstations so that the user behind the keyboard has no permission to install software.
While there are still some badly developed programs around in Windows, the above is largely historic.
All software that refuses to run as a user, and did not get updated by now, deserves to die. Developers have had at least 5 years to change their attitude.
There is a program "setjava" with in the OpenOffice directory that lets you re-select the java environment it uses.
Anything under %windows% should be read-only to the user.
Setup an administrative and a user account, lock-down Windows (tools for that are included on the resource kit cd) and a script running for the user will not be able to clobber hosts files, install spyware, infect the system with viruses, etc.
When will Windows people learn from Linux?